[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Design question

On 07/22/10 12:49 AM, Isaac Hailperin wrote:


currently I am redesigning the ldap server for a site which has about 700 users, with approximatly 200 new user per year, and maybe a little less dropping out every year.

The information about the lifetime of an account is kept in a different database(mysql). Thus, in order to check if an account is expired, I need to check with that database. While this might not be the happiest situation, it is partly due to historical rereasons, partly due to other restrictions beyond my reach. In any case, there is nothing I can do about it.

Now I would like to have a way to make shure that usernames and numerical uids will never get reused. Also, I would like to keep trac of who had an account, sort of a history.

Two ideas came to my mind:
1. Have an "expired" flag in the schema. Records with the expired flag would be blocked from login with an appropriate acl.
2. Have an archive subtree, where expired records get moved to.

The beauty of the first idea seems to me that it is very simple. The downside is that there would be two places where the expired flag would live, the ldap server and the other database (see above). Also, over the years, the number of records in the people subtree would grow and grow (not shure if this is an disadvantage though).

The beauty of the second idea is that the people subtree would be "clean", containing only active accounts. The downside seems to me that it looks a bit more involved.

Now I was wondering how other people have solved this, or if anyone would favor on of the solution.

I work with an organisation of similar size and we delete leavers form the LDAP server and just archive their home directories.

One disadvantage of 1 is your database will grow and your searches will become slower.

LDAP isn't really the place for archival data, if you want to preserve it export the LDIF for the user and archive that.